Saturday, 24 September 2016

Type of NMAP Scans and using them

The attacker makes a full TCP
connection to the target system. The most reliable scan type but also the most
detectable. Open ports reply with a SYN/ACK while closed ports reply with a
RST/ACK.

XMAS tree scan-

The attacker checks for TCP services
by sending XMAS-tree packets, which are named as such because all the “lights”
are on, meaning the FIN, URG, and PSH flags are set (the meaning of the flags
will be dis- cussed later in this chapter). Closed ports reply with a RST flag.

SYN stealth scan-

This is also known as half-open
scanning. The hacker sends a SYN packet and receives a SYN-ACK back from the
server. It’s stealthy because a full TCP connection isn’t opened. Open ports
reply with a SYN/ACK while closed ports reply with a RST/ACK.

Null scan-

This is an advanced scan that may be
able to pass through firewalls undetected or modified. Null scan has all flags
off or not set. It only works on Unix systems. Closed ports will return a RST
flag.

Windows scan-

This type of scan is similar to the
ACK scan and can also detect open ports.

ACK scan-

This type of scan is used to map out
firewall rules. ACK scan only works on Unix. The port is considered filtered by
firewall rules if an ICMP destination unreachable message is received as a
result of the ACK scan.

The nmap command has numerous
switches to perform different types of scans. The common command switches are
listed

Common nmap command switches-

nmap command switch Scan performed

-sT TCP connect scan

-sS SYN scan

-sF FIN scan

-sX XMAS tree scan

-sN Null scan

-sP Ping scan

-sU UDP scan

nmap command switch Scan performed

-sO Protocol scan

-sA ACK scan

-sW Windows scan

-sR RPC scan

-sL List/DNS scan

-sI Idle scan

-Po Don’t ping

-PT TCP ping

-PS SYN ping

-PI ICMP ping

-PB TCP and ICMP ping

-PB ICMP timestamp

-PM ICMP netmask

-oN Normal output

-oX XML output

-oG Greppable output

-oA All output

-T Paranoid Serial scan; 300 sec
between scans

-T Sneaky Serial scan; 15 sec between
scans

-T Polite Serial scan; .4 sec between
scans

-T Normal Parallel scan

-T Aggressive Parallel scan, 300 sec
timeout, and 1.25 sec/probe

-T Insane Parallel scan, 75 sec
timeout, and .3 sec/probe

To perform an nmap scan, at the Windows
command prompt type Nmap IPaddress followed by any command switches used to
perform specific type of scans.

For example, to scan the host with the IP
address 192.168.0.1 using a TCP connect scan type, enter this command:

Nmap 192.168.0.1 –sT

Make sure you’re familiar with the
different types of nmap scans, the syntax to run nmap, and how to analyze nmap
results. The syntax and switches used by the nmap command will be tested on the
CEH exam.